Bug#769716: iceweasel: downloads Cisco's OpenH264 video codec
Andrey Gursky
andrey.gursky at e-mail.ua
Fri Dec 5 18:17:01 UTC 2014
Hi Mike.
> From: Mike Hommey <mh at glandium.org>
> b) everyone knows what's actually contained in that binary blob, since
> it's built from open source code, and the build is (supposed to be)
> reproductible.
Yes, "supposed to be": "there are ongoing efforts to allow
reproducible builds which will then allow verification of the blob."
[1]
> c) the binary blob is verified against a sha256 checksum downloaded from
> a mozilla server through HTTPS with certificate pinning.
Googling on "libgmpopenh264.so sha256" delivers no url to download
this blob and maybe even it's configure/build options and
dependencies. Googling on "libgmpopenh264.so chksum" results in this
bug report.
Looking further, I've found some relevant url infos:
/usr/share/iceweasel/browser/defaults/preferences/firefox.js:pref("media.gmp-manager.url",
"https://aus4.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml");
But it's still not really helpful.
While cisco blobs are clearly available [2], Mozilla seems to be not
transparent in this issue.
A binary from cisco:
-rw-r--r-- 1 andrey andrey 1040584 Aug 8 06:29 libopenh264-1.1.0-linux64.so
and one from Mozilla: (~/.mozilla/firefox/*/gmp-gmpopenh264/1.1/)
-rwxr-xr-x 1 andrey andrey 1030172 Sep 2 22:27 libgmpopenh264.so
They are obviously different. If I understood correctly, the problem
was in patent fees. Cisco published a binary blob, which all could use
without paying these fees, but it wouldn't be really interesting.
That's why they published source code for it. Now Mozilla can include
the blob and be "almost sure" (for now) that it's really built from
this source code. But now I see Mozilla makes it's own builds? Or
cisco made some not public builds for Mozilla?
Regards,
Andrey
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1100304#c9
[2] https://github.com/cisco/openh264/blob/master/RELEASES
P.S. I'm happy openh264 is there at Debian experimental and I've
enabled it after update to iceweasel 34, just like to clarify it's
origins.
More information about the pkg-mozilla-maintainers
mailing list